localStorage bug allows sites to fill up hard disk / crash Safari
||Date Originated:||Feb 27, 2013|
||Product Version:||6.0.2 (8536.26.17)|
Using multiple subdomains with localStorage, ala 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on allows a single domain to use effectively unlimited space on the user's hard disk. Also, Safari seems to crash when the amount of data stored is equal to the amount of RAM the user has.
Steps to Reproduce:
1. Visit http://filldisk.com
2. Safari crashes after amount stored into localStorage equals the amount of RAM the user has.
3. Or, even if Safari doesn't crash, it's still really bad that sites can fill up your hard disk.
The spec (http://www.w3.org/TR/webstorage/) suggests this:
"User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit. A mostly arbitrary limit of five megabytes per origin is recommended."
A single domain is allowed to fill up the user's hard disk / crash Safari.
Other browsers tested:
Chrome 25: Fail
Firefox 18: Pass
IE 10: Fail
Reports posted here will not necessarily be seen by Apple.
All problems should be submitted at bugreport.apple.com before they are posted here.
Please only post information for Radars that you have filed yourself, and please do
not include Apple confidential information in your posts. Thank you!